Systems and methods for updating and synchronizing changes to security caches

ABSTRACT

Embodiments relate to systems and methods for maintaining data consistencies among a set of security caches. In aspects, a set of application servers comprising a set of security caches can submit a provisioning request to a provisioning server. The provisioning server can interface with a directory server that stores security data. Further, the provisioning server can send a command to the set of application servers that causes the data of the set of security caches to clear. In response, the directory server can send updated security data to the set of application servers, whereby the updated security data can be stored in the security caches of the set of application servers. Applications associated with the set of application servers can use the updated security data for validating user credentials or other functionality.

FIELD

The invention relates generally to systems and methods for maintaining security, and more particularly, to platforms and techniques for maintaining consistencies in security cache data across a cluster of application servers.

BACKGROUND

Application servers are entities in system and network environments in which various applications can execute or operate. In particular, application servers are dedicated to the efficient execution of processes, procedures, routines, scripts, and software code for supporting the functionalities of applications. Software developers can access application servers via various application programming interfaces (APIs).

The Java Platform, Enterprise Edition, Java EE, or J2EE are widely used platforms for server programming in the Java programming language. A J2EE container is a runtime entity that provides services to specialized Java components. Services provided by a container typically include life cycle management, security, deployment, and component-specific services. Containers are used in a wide variety of Java components, such as Enterprise Javabeans (EJB), Web pages, Java Server Pages (JSP), servlets, applets, and application clients.

For security information, J2EE containers typically cache their security caches in a Java Virtual Machine (JVM) to avoid round trip latency to third party sources like a database or a directory service. However, when these sources change information (e.g. passwords, login credentials, attributes, etc.), the security cache can become inconsistent with what is current.

Typically, J2EE containers employ a timeout feature to attempt to keep their security cache current. However, timeouts are generally insufficient in keeping security caches current in dynamic environments. Further,

Therefore, it may be desirable to provide systems and methods for maintaining consistencies among security caches of application servers. In particular, it may be desirable to provide systems and methods for a provisioning server to provision security data updates to security caches of a requesting application server when updated data is available.

DESCRIPTION OF DRAWINGS

FIG. 1 illustrates an overall system architecture in which various aspects of systems and methods for maintaining security can be practiced, according to embodiments;

FIG. 2 illustrates a detailed system architecture in which various aspects of systems and methods for maintaining security can be practiced, in further regards;

FIG. 3 illustrates an exemplary hardware configuration for a provisioning server configured to provision one or more application servers, according to various embodiments; and

FIG. 4 illustrates a flowchart for configuring a provisioning of security data, according to various embodiments.

DESCRIPTION

Embodiments of the present teachings relate to systems and methods for maintaining security in a network. In particular, embodiments relate to platforms and techniques for maintaining data consistencies among a plurality of security caches associated with a set of application servers. A server management system or other logic can comprise a provisioning server coupled to a directory server. The provisioning server and the directory server can be configured to connect to the set of application servers. Each of the set of application servers can comprise a security cache configured to store security data or other data for use in conjunction with the set of application servers.

According to embodiments, a provisioning application running in one of the application servers can send a provisioning request to the provisioning server, for example to change security data. The provisioning server can send the request to the directory server that can store the security data associated with the application servers. Further, the provisioning server can send a command to each of the application servers that causes a security cache in each of the application servers to be cleared of data. In embodiments, the directory server can send updated security data to each of the application servers. The updated security data can be stored in each of the security caches of the application servers, such that the security caches comprise data consistent across the application servers.

Referring to FIG. 1, illustrated is an exemplary system 100 in which the present systems and methods may be implemented. To help explain the principles of the present systems and methods, the system 100 is shown configured as a web application comprising functionality in which users must be authenticated via, for example, security cache data. Accordingly, as shown, the system 100 can comprise a client 102, a web server 104, an application server 106, a directory server 108, and a provisioning server 110. These components can be coupled together via networks 112 and 114, respectively, or other networks. It should be appreciated that other configurations and inclusions of other components are envisioned in accordance with the present systems and methods.

In embodiments, the client 102 can be any computer system that utilizes the services of another computer system, i.e., the web server 104 and the application server 106. As shown in FIG. 1, the client 102 can be implemented using components well known to those skilled in the art, such as a personal computer, laptop computer, personal digital assistant, mobile phone, tablet device, and the like. In the embodiments as shown in FIG. 1, the client 102 can be used to run Web applications via an application, such as a web browser.

In embodiments, the web server 104 can be a computer system configured to accept requests from clients, such as the client 102, and serve responses along with optional data contents. For example, a user of the client 102 can execute a Web application via the web server 104. In the embodiment as shown, the data content served by the web server 104 can be one or more Web pages that can include hypertext markup language (HTML) documents and linked objects such as, for example, images, video, audio, and the like.

The web server 104 can be implemented on a machine that comprises well known hardware and software. Well known software for the web server 104 can include, but is not limited to, software such as Apache HTTP Server from the Apache Software Foundation, Internet Information Services by Microsoft Corporation®, and Sun Java System Web Server from Sun Microsystems Inc®. One skilled in the art will recognize that any of the many different Web server programs available are consistent with the principles of the present invention.

The application server 106 can be software that provides applications to the client 102. In particular, the application server 106 can be configured to handle security, business logic, and data access for the applications provided to the client 102. In embodiments, the application server 106 can be configured to provide a variety of Web-based applications, such as e-commerce applications, content management applications, customer relations management applications, and the like.

The application server 106 can be implemented on various software platforms. For example, the application server 106 can be implemented on the well known J2EE platform from Sun Microsystems Inc®. In addition, the application server 106 can comprise middleware configured to enable applications to intercommunicate with dependent applications, such as the web server 104, database management systems, etc.

In further embodiments, the application server 106 can be implemented using well known software. For example, the application server 106 can be implemented using software, such WebLogic server from BEA Systems Inc®, JBoss from Red Hat Inc.®, Websphere from the IBM Corporation®, and the like. Accordingly, the application server 106 can implement the Java programming language and provide Web modules using servlets and JavaServer pages. Other functions of the application server 106 can also employ Java. For example, business logic provided by the application server 106 can be built into Enterprise JavaBeans (EJBs). J2EE can provide standards for containing, the Web components. In addition, security services, such as authentication and authorization, can be implemented using the Java Authentication and Authorization Service (JAAS) or similar service.

The directory server 108 can represent the components that store and organize information about the users of the system 100 and an administrator of the system 100 to manage those users' access to the resources of the system 100. In embodiments, the directory server 108 can comprise a database (not-shown) that can store information about named objects that are managed. The directory server 108 can also provide, the access interface to the data that is contained in this database. The directory server 108 can be implemented using well known technologies. For example, the directory server 108 can implemented as an X.509 directory service or Lightweight Directory Access Protocol (LDAP) service. In embodiments, the directory server 108 can be implemented as services from various vendors such as, for example, Red Hat Directory Server from Red Hat Inc.®; Active Directory by the Microsoft Corporation®; Apache Directory Server by the Apache Software Foundation; and Sun Java System Directory Server by Sun Microsystems Inc®.

In embodiments, the provisioning server 110 can be software, hardware, or a combination thereof that can be configured to listen for provisioning requests in the system 100 and return provisioning responses. In some embodiments, the provisioning server 110 can be configured as a service provisioning markup language (SPML) provisioning service provider. The provisioning server 110 can be implemented as a separate software component of the system 100 or can be integrated with other components of the system 100. For example, the provisioning server 110 can be a component that is installed as part of the directory server 108.

In embodiments, the network 114 can represent the communications infrastructure for allowing the client 102 and the web server 104 to communicate with each other. For example, the network 114 can represent the Internet, which is a worldwide, publicly accessible network that uses the Internet Protocol (IP) suite of standards. In embodiments, the network 112 can represent the communications infrastructure that allows the web server 104, the application server 106, the directory server 108, and the provisioning server 110 to communicate with each other. In embodiments, the network 112 can be implemented as a local area network or may utilize one or more larger networks, such as the Internet.

FIG. 2 illustrates a detailed embodiment of a security data provisioning system 200. In embodiments, the system 200 can comprise a set of application servers 205, 210, 215. According to embodiments, the set of application servers 205, 210, 215 can all belong to a cluster, or, in embodiments, one or more of the set of application server 205, 210, 215 can comprise a cluster. For example, application servers 205, 210 can belong to a cluster, and application server 215 can join or leave the cluster at any point.

Each of the application servers 205, 210, 215 can comprise a security cache 220. In embodiments, the security cache 220 can store or be configured to store security data or other forms of data. For example, the security data can be related to user credentials such as user login and password information, or other attributes. It should be appreciated that the security cache 220 can be configured to be any size and to store any type of data over any period of time. As shown in FIG. 2, each of the application servers 205, 210, 215 can be configured to connect to a provisioning server 230 and/or a directory server 235 via a network such as the Internet (not shown in figures) or any other type of connection. In embodiments, the provisioning server 230 and the directory server 235 can be housed in the same location, or in separate locations. Further, in embodiments, the directory server 235 can comprise a local or remote database 236 configured to store provisioning, security, or other related data.

According to embodiments, one of the application servers can submit a provisioning request to the provisioning server 230. For example, as referenced by 240 in FIG. 2, the application server 215 can send the provisioning request. In embodiments, a provisioning application associated with the application server 215 can send the provisioning request. In embodiments, the application server 215 can be a member of a cluster with the other application servers 205, 210, or can be separate from the other application servers 205, 210.

In embodiments, once the provisioning server 230 receives the provisioning request, the provisioning server 230 can be configured to send the provisioning request to the directory server 235, as referenced by 245 in FIG. 2. Further, in embodiments, the provisioning server 230 can be configured to send a command, request, instruction, and/or the like to any or all of the application servers 205, 210, 215, wherein the command, request, instruction, and/or the like can be configured to cause data of the respective security cache 220 in each of the application servers 205, 210, 215 to be cleared, invalidated, overwritten, and/or the like. As shown in FIG. 2, reference 245 can refer to the provisioning server 230 sending a cache overwrite instruction to application servers 205, 210. In response to receiving the cache overwrite instruction, a processor, module, or other logic associated with the application servers 205, 210 can be configured to overwrite appropriate data of each of the respective security caches 220. In embodiments, the provisioning server 230 can concurrently send the cache, overwrite instruction to the appropriate application servers and the provisioning request to the directory server 235.

In embodiments, in response to the respective application servers clearing the respective security caches 220, the directory server 235 can be configured to send security data to the respective application servers, to be stored in the respective security caches 220. The security data can be the most recent or updated security data available to the directory server 235. In embodiments, the security data can be retrieved from the database 236 or from other memory. As referenced by 250 in FIG. 2, the directory server 235 can be configured to send the security data to each of the application servers 205, 210, 215, including the application server 215 that originally sent the provisioning request (as referenced by 240).

In response to receiving the security data, a processor, module, or other logic associated with the application servers 205, 210, 215 can be configured to store the security data in each of the respective security caches 220. Accordingly, the security caches 220 of each of the application servers 205, 210, 215 can comprise the most recent or updated security data available to the directory server 235. In embodiments, each of the application servers 205, 210, 215 can execute their respective applications utilizing the updated security data of each of the security caches 220.

In embodiments, the provisioning server 230, the directory server 235, or other logic can be configured to receive an indication of updated security data. Further, the provisioning server 230, the directory server 235, or other logic can access the updated security data. For example, an administrator, owner, or other entity can modify a user credential entry, or any other type of security data, directly within the directory server 235, and the directory server 235 can notify the provisioning server 230 or any of the application servers 205, 210, 215 of the updated data. In another example, the security data can be updated remotely from the directory server 235, and the updated security data can be provided to the directory server 235 for storage.

As an example of the present embodiments, a banking institution is provided with a plurality of application servers that perform applications related to account servicing. Employees of the bank have login credentials to access the applications and conduct the associated functionality, wherein the application servers can store the login credentials in respective security caches. Further, different application servers can comprise different applications. For example, one application server can comprise an application used to open accounts, and another application server can comprise another application used to transfer money among bank accounts. When the bank hires a new employee, the new employee can be assigned login credentials to access the applications. However, the security caches of the application servers may not have updated data with the new employee's login credentials. Therefore, the security caches need to be provisioned with updated security data so that the employee can access and execute the associated applications.

As discussed herein, a provisioning request can be received at a provisioning server of the bank, which can in turn be provided to a directory server that can store the most, recently-updated security data. The provisioning server can send cache invalidation requests to the application servers, which can cause the security caches of the application servers to be cleared. In response to clearing the security caches, the directory server can send the updated security data, comprising the login credentials for the new employee, to the application servers for storage in the security cache. Accordingly, when the new employee attempts to log, in or otherwise access any applications associated with the application servers, the updated security cache data will have the new employee's login credentials, as needed.

FIG. 3 illustrates an exemplary diagram of hardware and other resources that can be incorporated in a provisioning server 304 configured to communicate with a set of application servers, and/or other entities, services, or resources via one or more networks 306 and/or other connections, according to aspects. In embodiments, the directory server 235 can comprise the same or similar elements as described with respect to the provisioning server 304, or can be configured with different hardware and software resources. In embodiments as shown, the provisioning server 304 can comprise a processor 330 communicating with memory 332, such as electronic random access memory, operating under control of or in conjunction with an operating system 336. The operating system 336 can be, for example, a distribution of the Linux™ operating system, the Unix™ operating system, or other open-source or proprietary operating system or platform. The processor 330: can also communicate with a database 338, such as a database stored on a local hard drive, and set of applications 340, to execute control logic and control the operation of the set of application servers 205, 210, 215, the distribution server 235, and/or other resources. The processor 330 can further communicate with a network interface 334, such as an Ethernet or wireless data connection, which in turn communicates with the one or more networks 306, such as the Internet or other public or private networks. Other configurations of the provisioning server 304, associated network connections, and other hardware, software, and service resources are possible.

FIG. 4 illustrates a flowchart of, overall processing that can be used to maintain security cache data across a cluster of application servers, according to various aspects of the present teachings. In 402, processing can begin. In 404, a provisioning request can be received from a server belonging to a cluster of servers. In embodiments, the provisioning request can be received at a provisioning server from an application server that is attempting to join the cluster of servers. In 406, the provisioning request can be sent to a directory server that stores security data for a security cache of each application server of the cluster of application servers. In embodiments, the provisioning request can be sent from the provisioning server to the directory server. In further embodiments, the provisioning server can be a part of the directory server.

In 408, a cache invalidation request can be sent to each application server of the cluster of application servers. In embodiments, the cache invalidation request can be sent from the provisioning server. In 410, the security cache of each application server of the cluster of application servers can be cleared upon receiving the cache invalidation request. In embodiments, the cache invalidation request can serve to overwrite, erase, or otherwise clear data already in the security caches of the application servers. Further, the security data that is overwritten can be stored in a temporary buffer to ensure that backup data exists in case of, for example, a data write failure.

In 412, the directory server can send updated security data to the security cache of each application server of the cluster of application servers. In embodiments, the updated security data can be modified in the directory server by an administrator or another entity. In 414, the security cache of each application server of the cluster of application servers can store the updated security data received from the directory server. In embodiments, the updated security data can overwrite the all data of the corresponding security cache, or can be stored in addition to any data in the corresponding security cache. In 416, processing can repeat, return to a prior processing point, jump to a further processing point, or end.

The foregoing description is illustrative, and variations in configuration and implementation may occur to persons skilled in the art. For example, while embodiments have been described in which the provisioning server 230 resides in a single server or platform, in embodiments the provisioning server 230 and associated logic can be distributed among multiple servers, services, or systems. Similarly, while embodiments have been described in which one set of application servers 205, 210, 215 can be provisioned with updated security data, in embodiments, multiple sets of application servers can be provisioned in conjunction with operations of the provisioning server 230 and/or the directory server 235. Other resources described as singular or integrated can in embodiments be plural or distributed, and resources described, as multiple or distributed can in embodiments be combined. The scope of the invention is accordingly intended to be limited only by the following claims. 

1. A method of synchronizing data, comprising: receiving, at a provisioning server, a provisioning request from a set of servers, wherein each server of the set of servers comprises a cache and is configured to execute a set of applications; identifying, in response to receiving the provisioning request, security data compatible with the cache of each server of the set of servers; sending a command to each server of the set of servers to clear the cache of each server of the set of servers; and sending the security data to the cache of each server of the set of servers.
 2. The method of claim 1, wherein the security data is stored in the cache of each server of the set of servers.
 3. The method of claim 1, wherein identifying the security data comprises sending the provisioning request to a directory server that stores the security data, and wherein the directory server sends the security data to the cache of each server of the set of servers.
 4. The method of claim 3, wherein the directory server is part of the provisioning server.
 5. The method of claim 1, wherein the provisioning request is received from a first server of the set of servers, and wherein each server of the set of servers except the first server is a member of a cluster set.
 6. The method of claim 5, wherein the provisioning request is received in response to the first server attempting to join the cluster set.
 7. The method of claim 1, wherein the provisioning request is received from a provisioning application running in the set of servers.
 8. The method of claim 1, wherein the security data comprises information associated with users of the set of applications.
 9. The method of claim 1, further comprising: receiving an indication that updated security data is available; and sending the updated security data to a directory server for storage.
 10. The method of claim 1, further comprising: receiving an indication that updated security data is available in a directory server; and notifying the set of servers of the updated security data.
 11. A system for synchronizing data, comprising: an interface to a provisioning server; and a processor, communicating with the provisioning server via the interface, the processor being configured to: receive a provisioning request from a set of servers, wherein each server of the set of servers comprises a cache and is configured to execute a set of applications; identify, in response to receiving the provisioning request, security data compatible with the cache of each server of the set of servers; send a command to each server of the set of servers to clear the cache of each server of the set of servers; and send the security data to the cache of each server of the set of servers.
 12. The system of claim 11, wherein the security data is stored in the cache of each server of the set of servers.
 13. The system of claim 11, wherein identifying the security data comprises sending the provisioning request to a directory server that stores the security data, and wherein the directory server sends the security data to the cache of each server of the set of servers.
 14. The system of claim 13, wherein the directory server is part of the provisioning server.
 15. The system of claim 11, wherein the provisioning request is received from a first server of the set of servers, and wherein each server of the set of servers except the first server is a member of a cluster set.
 16. The system of claim 15, wherein the provisioning request is received in response to the first server attempting to join the cluster set.
 17. The system of claim 11, wherein the provisioning request is received from a provisioning application running in the set of servers.
 18. The system of claim 11, wherein the security data comprises information associated with users of the set of applications.
 19. The system of claim 11, wherein the processor is further configured to: receiving an indication that updated security data is available; and sending the updated security data to a directory server for storage.
 20. The system of claim 11, wherein the processor is further configured to: receiving an indication that updated security data is available in a directory server; and notifying the set of servers of the updated security data. 